----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68681/#review208836 -----------------------------------------------------------
Ship it! Ship It! - pengjianhua On 九月 11, 2018, 3:07 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68681/ > ----------------------------------------------------------- > > (Updated 九月 11, 2018, 3:07 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, Nitin Galave, pengjianhua, > Ramesh Mani, Selvamohan Neethiraj, sam rome, Venkat Ranganathan, and > Velmurugan Periasamy. > > > Bugs: RANGER-2213 > https://issues.apache.org/jira/browse/RANGER-2213 > > > Repository: ranger > > > Description > ------- > > [SECURITY] CVE-2018-1336 > Severity: High > Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, > 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. > Description: An improper handing of overflow in the UTF-8 decoder with > supplementary characters can lead to an infinite loop in the decoder causing > a Denial of Service. > > CVE-2018-8014 > Description: The defaults settings for the CORS filter provided in Apache > Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to > 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is > expected that users of the CORS filter will have configured it appropriately > for their environment rather than using it in the default configuration. > Therefore, it is expected that most users will not be impacted by this issue. > > CVE-2018-8034 > Description: The host name verification when using TLS with the WebSocket > client was missing. It is now enabled by default. > Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, > 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. > > > Diffs > ----- > > pom.xml ae3f4be4c > > > Diff: https://reviews.apache.org/r/68681/diff/1/ > > > Testing > ------- > > 1. Modify the ssl configuration item in install.properties for the Ranger > Admin. > > **SSL config** > > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > ... > > > **------- PolicyManager CONFIG ----------------** > > > policymgr_external_url=https://localhost:6182 > policymgr_http_enabled=false > policymgr_https_keystore_file=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify.jks > policymgr_https_keystore_keyalias=rangertomcatverify > policymgr_https_keystore_password=hdp1234$ > > > 2. Install the Ranger Admin > > > 3. Modify the ssl configuration item in install.properties for the usersync. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > > > **SSL Authentication** > > AUTH_SSL_ENABLED=false > AUTH_SSL_KEYSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/keystore > AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$ > AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/truststore > AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$ > > > 4. Install the Ranger usersync > > > 5. Modified the ssl configuration item in install.properties for the kms. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > db_ssl_auth_type=2-way > javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > > > **SSL Client Certificate Information** > > > SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=changeit > > > 6. Install the KMS > > > 7. Modified the ssl configuration item in install.properties for plugins > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > > > **SSL Client Certificate Information** > > > SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=changeit > > > 8. Install plugins > > > Thanks, > > Qiang Zhang > >